Advertisement

Critical flaw forces Apple to push first automatic OS X security update

A critical security issue in the network time protocol (NTP) has prompted Apple to push an automatic OS X update to users for the first time. Google researchers discovered the flaw which could allow a remote attacker to "send a carefully crafted packet that can overflow a stack buffer and allow malicious code to be executed." NTP is a common protocol that's been successfully hacked before, so the security hole could result in remote DDoS attacks on many UNIX-based systems, including Linux servers and OS X. The US government deemed it serious enough to flag it, and at first Apple advised users of Yosemite, Mountain Lion and Mavericks to update "as soon as possible." However, several years ago it introduced an automatic OS X update system that requires no user action, and decided to deploy it for the first time ever. An Apple spokesman told Reuters "the update is seamless. It doesn't even require a restart."

Update: Patrick Nielsen, Senior Security Researcher at Kaspersky told us the vulnerability is quite widespread. "The software is installed on everything from consumer gadgets to critical infrastructure; it's possible to execute malicious code on both servers and clients, a dream situation for worms which can spread very quickly by compromising servers and then all their clients," he said. What's more, many firewalls don't block attacks against NTP servers, especially in corporate networks.